this is an intentional action taken by aws in the event of compromised credentials. follow the instructions specified in the support case created for you regarding this event.

t1552
aws
elastic

Techniques

T1552

Sample rules

AWS IAM CompromisedKeyQuarantine Policy Attached to User

source: elastic
technicques:
- T1552

Description

This rule looks for use of the IAM AttachUserPolicy API operation to attach the CompromisedKeyQuarantine or CompromisedKeyQuarantineV2 AWS managed policies to an existing IAM user. This policy denies access to certain actions and is applied by the AWS team in the event that an IAM user’s credentials have been compromised or exposed publicly.

Detection logic

any where event.dataset == "aws.cloudtrail" 
   and event.action == "AttachUserPolicy"
   and event.outcome == "success" 
   and stringContains(aws.cloudtrail.request_parameters, "AWSCompromisedKeyQuarantine")